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Use-authorization device for security-related applications 



The invention relates to a use-authorization device for security-related 
applications, in particular access control to secure areas or for securing vehicles with a user- 
end key unit for generating consecutive, alternating user code infonnation which has a 
sequence of consecutive function values v M =F(v„const) for * = <>,...,# through the 
repeated use of a one-way function F {v t ,const) , which function values are used in inverse 
order to the sequence formation to create the consecutive user code information, and an 
application-end processing unit for deternuning actual authorization information which is 
dependent upon the user code information received from the key unit and for performing a 
use-authorization checking operation by comparing this actual authorization information with 
the application-end desired authorization information, as well as for generating use-release 
information depending on the result of the comparison, wherein the desired authorization 
information has a function value v, which has been transferred from the user code 
information processed during the previous positive use-authorization operation. 



Such a use-authorization device is known, for example, from DE 44 1 1 449 
CI, wherein the use-authorization device described there is provided securing a vehicle and 
as a portion of a vehicle immobilizer. 

Such a use-authorization device works on the basis of a so-called alternating 
code method, in which security against unauthorized use of the security-related application 
after interception of the transmitted code information is increased by virtue of the fact that 
the code information changes every time the use-authorization is checked, also called the 
authentication process. This code change can only be realized with the aid of unidirectional 
code information transmissions from the key end to the application end such that secret 
information about a base number or a starting value and an algorithm are saved both at the 
key end and at the application end, according to which algorithm sequential code information 
can be derived from the starting value. In this way, use-authorization can be checked at the 
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application end by comparing the code information which is produced at the key end with the 
code information which is transmitted at the key end. 



For the purposes of the unidirectional code information transmission, a one- 
way function F{v t ,const) is specified which can only be inverted with considerable time 
and/or financial outlay, if at all. A high-grade, non-linear Boolean function or a hash function 
are possibilities here, in particular. Based on a starting value of v 0 , new function values can 
be calculated iteratively by means of 



v. +1 =F(v„con.rt)> i = (0,...,N) 



(1) 



only the last of which is a variable parameter, wherein the parameter const is a c 
and/or the function value for a specific index i and/or can only be known to the key unit and 
the access control unit. The function values are used in descending order from to v 0 for 
the use-authorization unit. A suitable implementation requires the values v 0 and const in ... 
order to calculate all the function values between v 0 and in ascending order. The starting 
values v 0 and const must be known at both the key unit end and at the security-related 
application end. 

It should be pointed out for the sake of completeness at this point that the use- 
authorization device of the type described before is not only limited to a vehicle immobilizer; 
another important area of use is, for example, access control systems to all types of secure 
areas in which the key has to authorize itself to the lock. 

Generally speaking, if there is a large number of authorizations intended (e.g. 
100,000), it is not expedient to save all the requisite values in the key unit. Consequently, the 
key unit must have a method for calculating the output value which is currently required from 
equation (1) and from a starting value v 0 or several values v, , with knowledge of the function 
F . A general drawback with simple approaches to implementing the use-authorization unit 
described above is that the outlay in terms of computing time and/or memory space for 
calculating the individual consecutive output values during runtime fluctuates considerably, 
which makes it difficult or even impossible to use in systems with limited resources. 
Technology with scalable cost in terms of memory space and computing time is 



WO 2005/060153 



PCT7IB2004/052672 



3 

indispensable for systems of tms type, m addition, the sy stem shom^ 

period of time, to be defined precisely beforehand, between the transmission of two 

consecutive output values in order to be able to synchronize various system parameters 

accordingly. 

Consequently, in the case of a use-authorization device of the type specified at 
the start, the invention proposes provicting a certam number of levels G, wherein a certain 
number of iterative function value calculations can be performed in each level by means of 
the one-way function F^const), wherein there are G-\W/b\ levels, wherein N is 
the starting value, L(N) is the number of bits required for representing N in the dual 
system and b is the basis for defining the number of levels and the number of function value 
calculations required in each iteration step^is the smallest integer greater than or equal to 

X) ' The invention is suitable for realizing the unidirectional encryption method, 

described above, to particularly advantageous effect on devices with limited resources in 
terms of volatile and/or non-volatile memory space, e.g. in the RAM and EEPROM and/or 
computer performance, such as a programmable or non-programmable, so-called embedded 
controller. When the invention is used on embedded low-cost controllers (for remote keyless 
entry in the car-manufacturing industry , for example), there are particularly positive benefits, 
such as the short development time of the implementation, the consistency of the method in 
terms of memory space requirements during runtime, the scalability in terms of memory 
requirements and execution time and the robust response to interruptions during runtime 
(such as interruptions in the power supply in the case of inductively operated key umts). The 
same also applies to an implementation of the invention as a hard-wired logic device. 

There is preferably a support point ^where , = (1,...,^) provided for each 
level Here, some function values are set up as so-called support points which are either 
system defaults or which are calculated by the actual key unit by means of iteration before 
the algorithm starts. The computational workload can be reduced with the aid of other 
support points per level or only for certain levels. 

The values for the support points s{i) are expediently determined from the 

) equation 
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wherein N is the starting value, which is defined in the equation (1), of the output values. 
Ordinarily, no function values can be calculated for negative indices, which limits the 
application of the equation (2) to support points with a positive index. 

The parameter b should preferably be adapted for a specified number of 
support points in such a way that the function value calculations per use authorization are 
rninimized. 

Ordinarily, starting from the current support point 5 (/) , there should be a 
certain number of function values calculated in each level in descending order and saved as 
intermediate values. An intermediate value for the support point in a level should be reset 
successively in this level once this intermediate value, as a new support point, has been 
transferred to the next level down. 

In order to permit any starting values N , the corresponding requisite 
intermediate values can either be supplied as well or be predefined as a starting value 
tf = (2*) G , in which case the method canbe started with (2*)° and be performed up to the 
index i = N . 

Alternatively, it is also conceivable, however, that 

applies to the starting value which allows the unrestricted use of equation (2) for the 
calculation of the support points. This can be achieved through suitable system defaults. 

It will be expedient if there are several buffers provided for saving 
intermediate values which are calculated from the function values. In order to reduce write 
operations while intermediate values are being saved, several buffers can be provided per 
level which are written to and read on a rotating basis and are, thus, designed as an FIFO 
memory. 
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These and other aspects of the invention are apparent from and will be 
elucidated with reference to the embodiments described hereinafter. 
In the drawings: 

Fig. 1 shows ablock diagram of apreferred embodiment of the use- 
authorization system in accordance with the invention; 

Fig. 2 shows a diagram illustrating the arrangement of support points and 
intermediate values, as well as the spaces between the individual support points following the 
initialization of the use-authorization system in Fig. 1; 

Fig. 3 shows a diagram illustrating the arrangement of support points and 
intermediate values, as well as me spaces between the individual support points during the 
output of the eighth value; and 

Fig. 4 shows a diagram illustrating the arrangement of support points and 
intermediate values, as well as the spaces between the individual support points during the 
output of the ninth value. 



The description below relates to a preferred embodiment of a use- 
authorization system, wmchkmustrateddiagrannnaticallyinFig. 1, on the basis of a method 
implemented therein, which results in a constant need for working memory (e.g. RAM and/or 
20 EEPROM) between the output of two consecutive values. Based on the number of support 
points used, it is scalable whether less execution time is required when working memory 
requirements rise, or vice versa, while the need for program memory (ROM) remains 
virtually unaffected by this. 

As previously described, there is a default one-way function F(v„consi) 
25 which cannot be inverted or which can only be inverted with considerable outlay (e.g. a high- 
grade, non-linear Boolean function or a hash function). Based on a starting value of v 0 , new 
function values v, can be calculated iteratively by means of 



= F{v„const), i = {0,...,N) 



(1) 



wherein only the last function value isavariable parameter. The parameter const maybea 
constant and/or the function value for a specific index i or a value which is only known to 
this use-authorization device. 
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The object is to output the function values in descending order from v,^ to v 0 . 
As the inverse function of F is not known, an implementation requires v 0 and const in order 
to calculate all the values between v 0 and . The method described here requires some 
function values, as so-called support points, which either already exist or which are 
calculated from the given starting values by means of iteration before the algorithm, which is 
described here, starts. 

The function values v, have to be output for indices i from N to 0 wherein, 

as described above, only v, +1 =F(v t ,const) can be calculated on each occasion. L{N) is the 
number of bits required to display in the dual system and b is the basis, which determines 
how many support points are absolutely necessary, as well as the maximum number of 
iterative function calculations required per level. As the total implementation is based on the 
index i , the value of the basis b can also be interpreted as the number of consecutive bits in 
i:Bits0to b form the counter for level l,bits b+l to 2b form the counter for level 2, and 
so on. The actual number of levels is calculated from 

which also corresponds at the same time to the number of support points which are absolutely 
necessary as each level requires at least one support point. These support points are referred 
to hereinafter as s{i) where i = (l,...,G) for each of the levels i. 

A distinction can be made between two cases for the values of the support 

points: 

Case 1: In the case of N = (2 b f , s(g) = N-±(2 b ) J where g = 0.....G) • 

Consequently, s{G) is negative. If this value cannot be calculated, this causes a slight 
change in the algorithm described below, although this does not affect the fundamental 
sequence. 

Case 2: In the case of Ne {(2 b f 1 ,...,(2*)° -l} , it is sufficient to simulate the 
algorithm described below until the index N is reached and to output the intermediate values 
and support points saved then and to use them as initialization values. 
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If case 1 above applies with & = 3 and N = (l^ =4096 , then G = 4,andthe 
support points are ascertained using equation (3): 

S(1)=V W _ 8 =V 4088 

s(2) = v w _ 72 =v 4024 
j(3) = v w _ 584 =v 3512 
■s(4) = v w _ 4680 =v_ 584 

5(4) applies here provided it cannot be calculated from v 0 . Following the output of the first 



value v_ 6 ,the value ofthe counter C is 

of the counters c{i) of the individual basis b = 3 levels are c (i) = (l 1 1) 6 = 7 . 

The arrangement of the support points and of the spaces between the 
individual support points, as described above, is shown diagrammatically in Fig. 2 and, at the 
same time, represents the basis for the sample algorithm described below. 

The second output value should now be calculated based on the configuration 
illustrated in Fig. 1 . In accordance with the counter values c{i), the intermediate values 
are calculated by the support points s{i) by means of the iterative application of F(v.) - 

They are given by: 

*(4) = v_ 584 z(4) = v_ 577 c(4) = 7 
*(3) = v 3512 z(3) = v 3519 c(3) = 7 
*(2) = v 4024 ^(2)=v 4031 c(2) = 7 
s(l) = v 4ms z(l)=v 4095 c(l) = 7 
C = 4095 = (111.111.111.1H) 6 
z (1) is the second output value sought here. 

In order to calculate the third output value, the whole process is repeated with 
the level counters c(4) = 7, c(3) = 7, c(2) = 7 and c(l) = 6 which are derived from the 

counter C = 4094 = f ill, 111. Ul-lio] . The intermediate values z{t), which are changed 

^(4) =c(3) =,(2) ~Q)) b 

accordingly, are used in all levels apart from level 1 as starting values instead of s (i) . s (1) 
) is always used in level 1, however. This gives rise to the following for the intermediate 
values: 
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s(4)=v_ 584 z(4) = v_ 570 c(4) = 7 
*(3) = v 3512 *(3) = v 3526 c(3) = 7 
5(2) = v 4024 z(2) = v 4038 c(2) = 7 
*(l) = v 4088 ^(1) = ^ *(l) = 6 
C = 4094 = (111.111.H1.110) 6 
and the desired output value appears in z(l) . The following apply once a further six output 

values have been calculated: 

*(4)=v_ 5M z(4) = v_ 528 c(4) = 7 

*(3) = v 3512 z(3) = v 3S6g c(3) = 7 

5(2) = v 4024 z(2) = v 4080 c(2) = 7 

J (l) = v 408g z(l) = v 4088 c(l) = 0 
C = 4088 = (111.111.H1.000) 6 

Thus, the levels are greater than 1 for each output value in accordance with its 
level counter c(i) and are preceded each time by seven iterations of function F . The 
respective output value is calculated in level 1 , wherein reference has been made to the 
current counter c(l) to indicate the number of iterations of F , based on s (l) . This status is 

illustrated in Fig. 3. 

In order to calculate the value output next for C = 4087 = (1 1 1.1 1 1.1 10.1 1 l) fc , 

5(1) must be replaced following the output of v 4088 . The method is devised in such a way 
that the value being sought automatically appears in z(2) as soon as the counter shows 
c(l) = 0.Thus, 5(l):=z(0 is set, and z(2):= s{2) is reset to the original value again, 
yielding the following after the calculation of the next output value: 
*(4) = v_ 584 z(4) = v S21 c(4) = 7 
*(3) = v 3512 *(3) = v 3575 c(3) = 7 
i *(2) = v 4024 *(2) = v 4030 c(2) = 6 

*(l) = v 40 so ^(l) = v 4087 c(l) = 7 

C = 4087 = (111.111.H0.111) 6 
Fig. 4 illustrates this status following the first underflow. 
The steps described above for outputting the values for C = 4087 to C = 4080 
cannowbe repeated successively wherein c(4) = 7, c(3)=7 and c (2) = 6 . In the case of 
C = 4080 , the following status applies: 
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*(4) = v_ 5M z(4) = v^ 72 c(4) = 7 
*(3)=v 3512 Z (3) = v 3617 c(3) = 7 
*(2) = v 4024 z(2) = v 4066 c(2) = 6 
s(l)=v 40g0 z(l) = v 4080 c(l) = 0 

C = 4080 = (111.111.110.000) fr 
Each time an underflow occurs in c(l), the replacement s(l):=z(0 and 
z (2) := s (2) takes place. The following apply when the counter shows C = 4032 : 
s(4)=v_ m z(4) = v_ 136 c(4) = 7 
s (3)=v 3512 z(3) = v 3960 c(3) = 7 
*(2) = v 4024 z(2) = v 4024 c(2) = 0 
*(l)=v 4032 z(l) = v 40 32 c(l)-0 
C = 4032 = (111.1H.000.000) 6 

Consequently, apart fiom the existing c(l) underflow, an underflow also 
occurs at c(2) in the next step. Due to the design, the new value for s (2) is in the 
intermediate value z(3) for the next level up. *(2):=z(3) and z (2) *-,(2). as well as 
S (l) := z(2) and z(l) - s{l) are then set accordingly. As a result, the following then apply 
for C = 4031: 

*(4) = v_ 584 z(4) = v_ 129 c(4) = 7 

s(3) = v 3512 ^(3) = v 3518 c(3) = 6 

*(2) = v 3960 z(2) = v 3967 c(2) = 7 

5(l) = v 4024 z{l) = v ml c(l) = 7 
C = 4031 = (111.110.111.H1) 6 

The carry-over of an intermediate value as the new support point for the next 
level down and the resetting of the intermediate value to the support point for the same level 
continue successively. The maximum computation workload is essentially derived from the 
maximum number of function calculations v 4+1 = F(v k ,const) between two consecutive 
output values and, thus, from the maximum number of values in c(i) , i.e. 28=4-7 in the 
above example. 

To enable any starting values N to be used, either the appropriate, required 
supportpoints s{i) must be supplied, or the method can be started with (2 b f and can be 
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carried out up to the index i = N while the system is being initialized before it then continues 
with the method described above The computational workload can also be reduced with the 
aid of other support points per level or only for certain levels. The parameter b can also be 
adapted for a specified number of support points in such a way that the function value 
calculations per use authorization are rnmimized, which also serves to minimize the total 
number of function value calculations required by the system throughout the entire runtime. 
Finally, where there are support points with a negative index for which no function values 
can be calculated, a query can take place at i = 0 . 

In order to reduce write operations while intermediate values are being saved, 
several buffers can be provided per level which are written to and read on a rotating basis and 
are, thus, designed as an FIFO memory. 



